Professional Documents
Culture Documents
Educause Security Professionals Atlanta GA, April 12th-14th, 2010 Joe St Sauver, Ph.D. Internet2 Security Programs Manager Internet2 and the University of Oregon (joe@uoregon.edu or joe@internet2.edu)
http://www.uoregon.edu/~joe/mobile-device-security/
Disclaimer: all opinions expressed are those of the author and do not necessarily represent the opinion of any other entity or organization.
For the purposes of this session, well define mobile Internet devices to be the sorts of things you might expect: iPhones, BlackBerry devices, Android phones, Windows Mobile devices, etc. -- pocket size devices that can access the Internet via WiFi, cellular/3G, etc. If you like, we can stretch the definition to include traditional laptops and tablet computers such as the iPad (maybe you have big pockets?), and maybe even conventional cell phones, thumb drives, etc. Well try to draw a hard line at anything that requires fiber connectivity or a pallet jack to move. :-) 3
This Part of Todays Hot Topic Session: Security of Mobile Internet Devices
About half of the respondents (51.2%) indicated that they own an Internet capable handheld device, and another 11.8% indicated that they plan to purchase one in the next 12 months [...]
Faculty/staff ownership of mobile internet devices is more complicated: there are a variety of devices available (Which one(s) should we support?), costs of service plans can be high (It costs how much per month for your data plan???), and the IRS treats them oddly (see www.irs.gov/govt/fslg/article/0,,id=167154,00.html )
4
A Semi-Zen-like Koan
If I didnt buy the mobile device, and the mobile device isnt using my institutional network, and the mobile device isnt directly touching my servers, do I even care that it exists? (Not quite as pithy as, If a tree falls in the forest when no ones around, does it still make any sound? but you get the idea). Yes, you should care.
You may think that that device isnt something you need to worry about, but at some point in the future that WILL change. Suddenly, for whatever reason (or seemingly for no reason) at least some of those devices WILL begin to use your network and/or servers, or some of those devices WILL end up receiving or storing personally identifiable information (PII).
7
Are We Seeing A Recapitulation of The Good Old Managed vs. Unmanaged PCs Paradigm?
For a long time way back in the old days, traditional IT management pretended that PCs didnt exist. While they were in denial, people bought whatever PCs they wanted and administered them themselves. While that sometimes worked well, other times chaos reigned. Today's more closely managed enterprise model was the result of that anarchy. At some sites, standardized PC configurations are purchased and tightly locked down and are then centrally administered. While Im not a fan of this paradigm, I recognize that it is increasingly common. Are we re-experiencing that same evolution for mobile Internet devices? Or are we still denying that mobile Internet devices even exist? What policies might we see?
10
-- you can require the user *have* a password -- you can require a *long*/*complex* password -- you can set max number of failures (or the max days of non-use) before the device is wiped out (the device can then be restored from backup via iTunes) -- you can specify a maximum password change interval -- you can prevent password reuse via password history -- you can specify an interval after which a screen-locklike password will automatically need to be re-entered
RIM offer similar controls for BlackBerry devices.
13
Some of these settings may be less applicable or less important to higher ed folks than to corp/gov users.
14
-- change their name servers (and if I can change their name servers, I can totally control where they go) -- add my own root certs (allowing me to MITM their supposedly secure connections) -- change email, WiFi or VPN settings, thereby allowing me to sniff their connections and credentials -- conduct denial of service attacks against the user, including blocking their access to email or the web
These config files also can be made non-removable (except through wiping and restoring the device).
16
Strong device passwords and hardware encryption are primary protections against PII getting compromised, but another potentially important option is being able to remotely wipe the hardware with a magic kill code. Both iPhones and BlackBerry devices support this option. Important notes: -- If a device is taken off the air (e.g., the SIM card has been removed, or the device has been put into a electromagnetic isolation bag), a device kill code may not be able to be received and processed. -- Some devices (including BlackBerries) acknowledge receipt and execution of the kill code, others may not. -- Pre-3GS versions of the iPhone may take an hour per 8GB of storage to wipe; 3GSs wipe instantaneously.
21
What about BlackBerry users? Just like iPhone users, BlackBerry users can run Opera Mini but not Firefox.
24
What Do Your Key Websites Look Like On Your Mobile Internet Device?
Web sites optimized for fast, well-connected computers with large screens may not look good or work well on mobile devices. If those sites are running key applications, a lack of mobile device app usability may even be a security issue (for example, normal anti-phishing visual cues may be hard to see, or easily overlooked on a knock-off "secure" site). Have you looked at your home page and your key applications on a mobile Internet device? How do they look? One web site which may help open your eyes to the need for a redesign (or at least a separate website for mobile devices) is http://www.testiphone.com/ Should you create an http://m.<yoursite>.edu/ page?
26
Counterfeit Hardware
Counterfeit computer and network hardware is a major concern for some manufacturers and the U.S. government Knock-off iPhones are currently being seen in the U.S. One good description of a knock off iPhone is available at http://www.macmedics.com/blog/2009/06/27/ counterfeit-iphone-3g-stops-by-macmedics-by-way-ofdisputed-ebay-auction/ Apple and legal authorities are putting pressure on the sources of some of these knock-offs (e.g., see "Chinese Counterfeit iPhone Workshop Raided," Jan 20, 2010, http://www.tuaw.com/2010/01/20/ chinese-counterfeit-iphone-workshop-raided/ ), but until this problem is resolved (if ever!) you should be on guard against counterfeit hardware from 3rd party sources.
29
Discussion Time!
Now that weve finished outlining some of the security issues that we think may be associated with mobile Internet devices, wed like to hear what you think! Are you and your users embracing mobile Internet devices? What kind? iPhones? BlackBerries? Other? Whats been your experience? Successes? Challenges? Whos the biggest advocate of mobile devices at your site? Students? Faculty members? Administrators? Do you have a campus mobile device policy? Do you have a designated group on campus that serves as the point of contact for mobile device support? How are you control PII exposure on those devices? Are you satisified with your devices backups? What would YOU like to talk about around this topic? 31